Choose a language:

Everything you need to know about preventing online shopping bots

Published:
Updated: 11 Sep 2024
green bot in shopping cart

Online shopping bots are moving from one ecommerce vertical to the next. And they're getting more sophisticated by the day. As an online retailer, you may ask, "What's the harm? Isn't a sale a sale?". But bots pose major risks to your business. Read on to discover if you have an ecommerce bot problem, learn why preventing shopping bots matters, and get 4 steps to help you block bad bots.

In 2022, a top 10 footwear brand dropped an exclusive line of sneakers. Traffic to the site soared. The sneakers sold out.

Everything seemed to go according to plan. But behind the scenes, something was wrong.

Queue-it ran a post-sale audit on this drop and found up to 97% of the activity was non-human—clicks, visits, and requests from malicious bots designed to snatch up product to resell it at huge markups.

Of the 1.7 million visitors who tried to access the drop, less than 100,000 were playing by the rules.

Retail bot attacks like this are becoming more and more common. Bot traffic increased 106% YoY in 2021. Almost 30% of traffic to online retail sites is now bots. And it gets more difficult every day for real customers to buy hyped products directly from online retailers.

What are signs of a shopping bot problem, though? What business risks do they actually pose, if they still result in products selling out? And what steps can you take to stop retail bots? Read on to find out.

Table of contents

 

Do you have a bot problem? Get your free guide to uncover the risks of bots & discover how you can beat them
retail bots guide

What are shopping bots?

An online shopping bot, also known as an "ecommerce bot" or "grinch bot", is software that's programmed to facilitate online purchases by performing automated tasks like checking for re-stocks and completing checkouts. Bots often imitate a human user's behavior, but with their speed and volume advantages they can unfairly find and buy products in ways human customers can't.

Online shopping bots perform different malicious tasks. An individual bot may do one or more of these. A "grinch bot", for example, usually refers to bots that purchase goods, also known as scalping. But there are other nefarious bots, too, such as bots that scrape pricing and inventory data, bots that create fake accounts, and bots that test out stolen login credentials.


RELATED:
Protect Against Bad Bots & Prevent Abuse With a Virtual Waiting Room

How do online shopping bots work?

Online shopping bots work by using software to execute automated tasks based on instructions bot makers provide.

What all shopping bots have in common is that they provide the person using the bot with an unfair advantage. If shoppers were athletes, using a shopping bot would be the equivalent of doping.

For example, imagine that shoppers want to see a re-stock of collectible toys as soon as they become available. One option would be to sit at their computer, manually refresh their browser, and stare at their screen 24/7 until that re-stock happens. Needless to say, this wouldn’t be fun, and would be impossible for more than a day or two.

A second option would be to use an online shopping bot to do that monitoring for them. The software program could be written to search for the text “In Stock” on a certain field of a web page.

When that happens, the software code could instruct the bot to notify a certain email address. The shopper would have to specify the web page URL and the email address, and the bot will vigilantly check the web page on their behalf.

That’s just one example. It may seem innocent enough, but when added together with other nefarious bot types it adds up to an unfair advantage over others.

 

What are the different types of retail bots?

When you hear “online shopping bot”, you’ll probably think of a scraping bot like the one just mentioned, or a scalper bot that buys sought-after products. But there are many other types of online shopping bots. Here’s a list of the most common.

 

scraping shopping botScraping bots

Like in the example above, scraping shopping bots work by monitoring web pages to facilitate online purchases. These bots could scrape pricing info, inventory stock, and similar information.

 

footprinting shopping botFootprinting bots

Footprinting is like scraping, but involves the bot probing and scanning the website. For example, a footprinting bot could search for live web URLs that haven’t yet been made public.

When the manager of a U.K.-based reseller group was asked how he bought so many PlayStation 5 consoles he answered: “We knew where to go before they announced it”. That’s footprinting in action.

Footprinting is also behind examples where bad actors ordered PlayStation 5 consoles a whole day before the sale was announced. By the time the retailer closed the loophole that gave the bad actors access, people had picked up their PS5s—all before the general public even knew about the new stock.

 

account creation shopping botAccount creation bots

For bad actors to complete purchases, they need to use an account. Bad actors can generate a list of free emails and then use an account creation bot to generate accounts in bulk, sometimes in the hundreds or thousands.   

 

account takeover shopping botCredential stuffing & cracking bots

Sometimes instead of creating new accounts from scratch, bad actors use bots to access other shopper’s accounts. Both credential stuffing and credential cracking bots attempt multiple logins with (often illegally obtained) usernames and passwords.

In a credential stuffing attack, the shopping bot will test a list of usernames and passwords, perhaps stolen and bought on the dark web, to see if they allow access to the website.

A credential cracking bot will start with one value, like an email, and then test different password combinations until the login is successful.

 

scalping shopping botScalping bots

Probably the most well-known type of ecommerce bot, scalping bots use unfair methods to get limited-availability and/or preferred goods or services.

For example, scalper bots can “sit” on the product web page, constantly refreshing to click “add to cart” the second the product becomes available. Then the scalper bot can click through the purchase journey, autofill billing and shipping information, and press “buy” in the time it takes a human visitor to enter his or her email address.

 

denial of inventory shopping botDenial of inventory bots

Ever wonder how you’ll see products listed on secondary markets like eBay before the products even go on sale? Denial of inventory bots are to blame.

Representing the sophisticated, next-generation bots, denial of inventory bots add products to online shopping carts and hold them there. They don’t buy them—at least not initially.

By holding products in the carts they deny other shoppers the chance to buy them. What often happens is that discouraged shoppers turn to resale sites and fork over double or triple the sale price to get what they couldn’t from the original seller.

Only when a shopper buys the product on the resale site will the bad actor have the bot execute the purchase.

Denial of inventory bots are especially harmful to online business’s sales because they could prevent retailers from selling all their inventory.

 

cashing out shopping botCashing out bots

Bad actors don’t have bots stop at putting products in online shopping carts. They’ll use bots to validate stolen credit card information. Cashing out bots then buy the products reserved by scalping or denial of inventory bots.

What products do ecommerce bots target?

You can find grinch bots wherever there’s a combination of scarcity and hype. While scarcity marketing is a powerful tool for generating hype, it also creates the perfect mismatch between supply and demand for bots to exploit for profit. Bot operators secure the sought-after products by using their bots to gain an unfair advantage over other online shoppers.

And these bot operators aren’t just buying one or two items for personal use. They’re buying dozens. That’s why these scalper bots are also sometimes called “resale bots”.

Resellers and bots aren’t fussy or loyal customers. Whether they’ll buy your products or not depends on one key question: can they sell them for more than you’re selling them?

Let's look at a few areas that fulfill this criteria for greedy retail bots.


Sneaker bots

As streetwear and sneaker interest exploded, sneaker bots became the first major retail bots. Unfortunately, they’ve only grown more sophisticated with each year.

The sneaker resale market is now so large, that StockX, a sneaker resale and verification platform, is valued at $4 billion. We mentioned at the beginning of this article a sneaker drop we worked with had over 1.5 million requests from bots. With that kind of money to be made on sneaker reselling, it's no wonder why.

And it's not just individuals buying sneakers for resale—it's an industry. As Queue-it Co-founder Niels Henrik Sodemann told Forbes, "We believe that there [are] at least a hundred organizations ... where people can sign up to get the access to the sneakers."

Related: Everything You Need to Know About Preventing Sneaker Bots

In early 2020, for example, a Strangelove Skateboards x Nike collaboration was met by “raging botbarians”. According to the company, these bots “broke in the back door…and circumstances spun way, way out of control in the span of just two short minutes. 💔” The company cancelled their online release altogether.

As another example, the high resale value of Adidas Yeezy sneakers make them a perennial favorite of grinch bots. The Yeezy 700 “Suns” dropped in January 2021 for $240. They were quickly reselling at triple that price. Alarming about these bots was how they plugged directly into the sneaker store’s API, speeding by shoppers as they manually entered information in the web interface. 

Sneaker bot operators aren’t hiding in the shadows—they’re openly showing off their wins.

There are hundreds of YouTube videos like the one below that show sneakerheads using bots to scoop up product for resale.

 

 

Graphics cards bots

Ecommerce bots have quickly moved on from sneakers to infiltrate other verticals—recently, graphics cards.

In 2020 both Nvidia and AMD released their next generation of graphics cards in limited quantities. The graphics cards would deliver incredibly powerful visual effects for gaming, video editing, and more.

Nvidia launched first and reseller bots immediately plagued the sales.

A couple weeks later, the story repeated itself with the RTX 3090s, despite Nvidia promising to beef up their bot and abuse mitigation after the botted RTX 3080s launch.

The 3090s sales price was about $1,500, but they were often selling at $3,000-$6,000 on secondary marketplaces, with some as high as $70,000!

The bot-riddled Nvidia sales were a sign of warning to competitor AMD, who “strongly recommended” their partner retailers implement bot detection and management strategies.

 

Gaming console bots

The releases of the PlayStation 5 and Xbox Series X were bound to drive massive hype. It had been several years since either Sony or Microsoft had released a gaming console, and the products launched at a time when more people than ever were video gaming.

It’s no surprise they were prime bot targets from the start. And the shopping bots came out in force.

When Walmart.com released the PlayStation 5 on Black Friday, the company says it blocked more than 20 million bot attempts in the sale’s first 30 minutes. Every time the retailer updated stock, so many bots hit that the website of America’s largest retailer crashed several times throughout the day

One U.K.-based reseller group snagged nearly 3,500 PlayStation 5 consoles. And such resellers can expect a healthy return. According to a sweet bit of data analysis by data engineer Michael Driscoll, scalpers made profits of over $10 million selling Xbox consoles and $16 million selling PlayStations—and that’s only on eBay. And it’s no wonder, given the consoles were going for 150-300% of retail price on these secondary marketplaces.

PS 5 resale chart

Image by Michael Driscoll

Holiday Season sales & Grinch bots

During the 2021 Holiday Season marred by supply chain shortages and inflation, consumers saw a reported 6 billion out-of-stock messages on online stores.

In this context, bots and resellers turned their attention to grabbing in-demand Christmas gifts and selling them at huge markups.

As one bot developer and reseller told Bloomberg in 2021: “For bot users targeting retailers, I think it will be a very merry Christmas.”

You can see why they call them grinch bots.


RELATED: How To Use Scarcity Marketing & Product Drops for Black Friday Success

 

Limited-edition product drops

Limited-edition product drops involve the perfect recipe of high demand and low supply for bots and resellers. When a brand generates hype for a product drop and gets their customers excited about it, resellers take notice, and ready their bots to exploit the situation for profit.

When Queue-it client Lilly Pulitzer collaborated with Target, the hyped release crashed Target’s site and the products were sold out in about 20 minutes. A reported 30,000 of the items appeared on eBay for major markups shortly after, and customers were furious.


RELATED: Everything You Need to Know About Product Drops: Strategies, Benefits & Examples

Product drop image

Influencer product releases, collectibles, even hot tubs

Influencer product releases, such as Kylie Jenner’s Kylie Cosmetics are also regular targets of bots and resellers. As are popular collectible toys such as Funko Pops and emergent products like NFTs. In 2021, we even saw bots turn their attention to vaccination registrations, looking to gain a competitive advantage and profit from the pandemic.

Not even hot tubs can avoid grinch bots!

With the pandemic affecting consumer shopping behavior in 2020, hot tubs apparently became a hot-ticket item in the U.K. Here’s what a leading bot operator told Business Insider:

“The focus shifted towards the most ridiculous things, like outdoor hot tubs. We noticed that these began selling out in stores, and reselling on eBay for a profit. So our developer wrote some site monitor software, and we tracked the stock of the sites selling hot tubs! Every time they pinged into stock, we would notify our members to buy it all.”

 

How to identify an ecommerce bot problem

It might sound obvious, but if you don’t have clear monitoring and reporting tools in place, you might not know if bots are a problem.

As bots get more sophisticated, they also become harder to distinguish from legitimate human customers.

So what should you look for? Here’s a few red flags.

 

1. Increase in login failures

A spike in login failures could signal credential stuffing and cracking bots trying to take over existing customer accounts.

 

2. Spike in account creations

Increased account creations, especially leading up to a big launch, could indicate account creation bots at work. They’ll create fake accounts which bot makers will later use to place orders for scalped product. 

 

3. Traffic from unfamiliar geographies

Seeing web traffic from locations where your customers don’t live or where you don’t ship your product? Then you may be under attack from bots. This traffic could be from overseas bot operators or from bots using proxies to mask their true IP address. 

 

4. Increase in shopping cart abandonment

An increased cart abandonment rate could signal denial of inventory bot attacks. These bots hold product so others can’t buy. When the cart time expires, they snatch the products up again. They’ll only execute the purchase once a shopper buys for a marked-up price on a secondary marketplace. This behavior will reflect in your cart abandonment rate.   

 

5. Visits to product pages that aren’t public-facing

Footprinting bots snoop around website infrastructure to find pages not available to the public. If a hidden page is receiving traffic, it’s not going to be from genuine visitors.

 

6. Increase in traffic from data center IP addresses

Genuine users rarely originate from data center IP addresses. Instead, bot makers typically host their scalper bots in data centers to obtain hundreds of IP addresses at relatively low cost. In fact, research shows 70% of bad bots come from data centers. A spike in data center traffic likely signals a bad bot problem.


RELATED: Improve Bot Protection with Data Center IP blocking

 

7. Abnormal pageviews or bounce rates

If you observe a sudden, unexpected spike in pageviews, it’s likely your site is experiencing bot traffic. If bots are targeting one high-demand product on your site, or scraping for inventory or prices, they’ll likely visit the site, collect the information, and leave the site again. This behavior should be reflected as an abnormally high bounce rate on the page.

 

Bots hidden among regular users

Why is bot management necessary?

You may be wondering, do shopping bots pose business risks if they result in products selling out? A sale's a sale, right?

This is a question many businesses face. While a one-off product drop or flash sale selling out fast is typically seen as a success, bots pose major risks to several key drivers of ecommerce success.

From harming loyalty to damaging reputation to skewing analytics and spiking ad spend—when you’re selling to bots, a sale’s not just a sale.

 

1. Bots harm customer trust & loyalty

Simply put, genuine shoppers view shopping bots snapping up most or all available product as incredibly unfair. 35% of online businesses report bot attacks result in:

  • Brand or reputational damage
  • Reduction in online conversions
  • More frequent data leaks

Back in the day shoppers waited overnight for Black Friday doorbusters at brick and mortar stores. They understood if products sold out.

There was a cost to getting in line in the wee hours. Sacrificing sleep. Missed time relaxing at home with family. And so on.

Online shopping bots let bot operators hog massive amounts of product with no inconvenience—they just sit at their computer screen and let the grinch bots do their dirty work.

Tweet reading: "At this point something has to be done about the sneaker bots. It's unfair"

In the frustrated customer’s eyes, the fault lies with you as the retailer, not the grinch bot. It’s seen as your failure. Genuine customers feel lied to when you say you didn’t have enough inventory. They believe you don’t have their interests at heart, that you’re not vigilant enough to stop bad bots, or both.

Fairness is one of the most important predictors of loyalty to ecommerce brands. This means if you’re not the sole retailer selling a certain item, shoppers will move to retailers where they feel valued. If you are the sole retailer, shoppers can get so turned off that your brand becomes radioactive—they won’t shop with you again, and they’ll tell their friends and family not to either.

RELATED: Customer Loyalty in Ecommerce: The Surprising Benefits of Fairness

 

2. Bots make you miss connections with genuine customers

When a true customer is buying a PlayStation from a reseller in a parking lot instead of your business, you miss out on so much.

First, you miss a chance to create a connection with a valuable customer. Hyped product launches can be a fantastic way to reward loyal customers and bring new customers into the fold. Shopping bots sever the relationship between your potential customers and your brand.

Second, this ruptured relationship loses you sales in the future. The lifetime value of the grinch bot is not as valuable as a satisfied customer who regularly returns to buy additional products.

Grinch bots are in it to flip a couple select items.

They couldn’t care less about your product bundles.

They won’t evangelize your brand.

And they certainly won’t engage with customer nurture flows that reduce costs needed to acquire new customers.

RELATED: Ecommerce Loyalty Programs: How to Keep Customers Coming Back for More

What’s worse, for flash sales on big days like Black Friday, retailers often sell products below margins to attract new customers and increase brand affinity among existing ones. In these scenarios, getting customers into organic nurture flows is enough for retailers to accept minor losses on products.

But when bots target these margin-negative products, the customer acquisition goals of flash sales go unmet. All you achieve is low-to-negative margin sales without any of the benefits.

Last, you lose purchase activity that forms invaluable business intelligence. Resellers get data on who the actual buyers are, not you. This leaves no chance for upselling and tailored marketing reach outs.

If you’re thinking, “Well, as long as someone buys my products, it’s not my problem what they do with them,” then you’re missing the crucial point of customer experience optimization: it’s not about how much product is purchased, it’s about how many customers you can give a great experience.

Retailers are at their most visible during hyped product drops and flash sales, and if all your products are out-of-stock and listed elsewhere by resellers, you lose a key opportunity to give a great brand experience to thousands of customers. They’ll be dismayed and seek products from competitors.

 

3. Bots jeopardize business contracts

In the ticketing world, many artists require ticketing companies to use strong bot mitigation. If the ticketing company doesn’t, they simply won’t get the contract.

The retail world is starting to see similar trends. For example, graphics card producer AMD sent a letter to all its retailers saying they “strongly recommend” the retailers take the following steps:

  • Bot detection and management
  • CAPTCHA implementation
  • Purchase limits
  • Reservations
  • Manual order processing
  • Limit reseller sales (B2B)
  • Inventory-to-Cart allocation

What is now a strong recommendation could easily become a contractual obligation if the AMD graphics cards continue to be snapped up by bots. Retailers that don’t take serious steps to mitigate bots and abuse risk forfeiting their rights to sell hyped products.

 

4. Bots increase operational & support costs

Immediate sellouts will lead to higher support tickets and customer complaints on social media. This means more work for your customer service and marketing teams.

Research estimates 75% to 80% of ecommerce operational costs are negatively impacted by malicious bots. These include:

  • Website infrastructure costs
  • Advertising and marketing expenditure
  • Customer support costs
  • Checkout fraud costs

In another survey, 33% of online businesses said bot attacks resulted in increased infrastructure costs. While 32% said bots increase operational and logistical bottlenecks.

Plus, if a bot attack slows or crashes your site, the burden on your teams and revenue will be even worse.


RELATED: The Cost of Downtime: IT Outages, Brownouts & Your Bottom Line

Get your free retail bots guide to discover 10 techniques & tools to beat bad bots

5. Bots create faulty analytics for decision-making

Bots can skew your data on several fronts, clouding up the reporting you need to make informed business decisions.

The fake accounts that bots generate en masse can give a false impression of your true customer base. Since some services like customer management or email marketing systems charge based on account volumes, this could also create additional costs.

Denial of inventory bots can wreak havoc on your cart abandonment metrics, as they dump product not bought on the secondary market.

Marketing spend and digital operations are just two of the many areas harmed by shopping bots.

 

6. Bots crash & slow down websites

By their nature, shopping bots use volume to their advantage. So it’s not difficult to see how they overwhelm web application infrastructure, leading to site crashes and slowdowns.

45% of online businesses said bot attacks resulted in more website and IT crashes in 2022.

To get a sense of scale, consider data from Akamai that found one botnet sent more than 473 million requests to visit a website during a single sneaker release.

Data from Akamai found one botnet sent more than 473 million requests to visit a website during a single sneaker release.

Or think about a stat from GameStop’s former director of international ecommerce. “At times, more than 60% of our traffic - across hundreds of millions of visitors a day - was bots or scrapers,” he told the BBC. With recent hyped releases of the PlayStation 5, there’s reason to believe this was even higher.

When Walmart.com released the PlayStation 5 on Black Friday, the company says it blocked more than 20 million bot attempts in the sale’s first 30 minutes. Every time the retailer updated the stock, so many bots hit that the website of America’s largest retailer crashed several times throughout the day. 

Bots will even take a website offline on purpose, just to create chaos so they can slip through undetected when the website comes back online.

Whether an intentional DDoS attack or a byproduct of massive bot traffic, website crashes and slowdowns are terrible for any retailer. They lose you sales, shake the trust of your customers, and expose your systems to security breaches.

Related: Prevent Website Crashes From Bot Traffic With a Virtual Waiting Room

How to prevent bots

As you’ve seen, bots come in all shapes and sizes, and reselling is a very lucrative business. For every bot mitigation solution implemented, there are bot developers across the world working on ways to circumvent it.

It’s a cat-and-mouse game. Which means there’s no silver bullet tool that’ll keep every bot off your site. Even if there was, bot developers would work tirelessly to find a workaround. That’s why just 15% of companies report their anti-bot solution retained efficacy a year after its initial deployment. The target is constantly moving for retailers.

The key to preventing bad bots is that the more layers of protection used, the less bots can slip through the cracks.

If you have four layers of bot protection that remove 50% of bots at each stage, 10,000 bots become 5,000, then 2,500, then 1,250, then 625. In this scenario, the multi-layered approach removes 93.75% of bots, even with solutions that only manage to block 50% of bots each. 

 

1. Monitor & identify bot traffic

As the saying goes, if you can’t measure it, you can’t improve it. If you don’t have tools in place to monitor and identify bot traffic, you’ll never be able to stop it.

Sometimes even basic information like browser version can be enough to identify suspicious traffic.

Once scripts are made, they aren’t always updated with the latest browser version. Human users, on the other hand, are constantly prompted by their computers and phones to update to the latest version. It’s highly unlikely a real shopper is using a 3-year-old browser version, for instance.

It's recommended to show CAPTCHAs to browsers not updated in 2 years, and to flat out block browsers that haven't been updated in three years.

 

CAPTCHA

End of life over 2 years ago

BLOCK

End of life over 3 years ago

Chrome version

< 87

< 78

Firefox version

< 83

< 70

Safari version

< 13

< 12

Edge version

< 86

< 44

Updated as of November 2022. Release version history is available for Chrome, Firefox, Safari, and Edge.

Professional bot mitigation platforms often include this type of digital fingerprinting. They look at known information like browser type, IP address, cookies, browser extensions, and so on to create a profile of users.

They’ll also analyze behavioral indicators like mouse movements, frequency of requests, and time-on-page to identify suspicious traffic. For example, if a user visits several pages without moving the mouse, that’s highly suspicious.

Look for bot mitigation solutions that monitor traffic across all channels—website, mobile apps, and APIs. Remember the Yeezy sneaker bots? They plugged into the retailer’s APIs to get quicker access to products. You need to cover all entry points.

Finally, the best bot mitigation platforms will use machine learning to constantly adapt to the bot threats on your specific web application. In the cat-and-mouse game of bot mitigation, your playbook can’t be based on last week’s attack.

 

2. Take action against suspicious traffic

It’s one thing to identify suspicious traffic. It’s another to respond.

Your bot mitigation solutions should let you test suspicious traffic. Common tests include Google’s CAPTCHA and PerimeterX’s Human Challenge.

Google’s CAPTCHA has grown more advanced over time, from initially typing in blurry words to Google analyzing browsing history and similar behavior to judge whether users are legitimate. The tool isn’t perfect—studies have shown how machine learning algorithms can defeat audio, image, and text-based CAPTCHAs at over 90% success rates—but it is one more hurdle malicious traffic would need to overcome.

HUMAN's (formerly PerimeterX) Human Challenge also uses behavioral data to flag suspicious users, who are then met with a “press and hold” challenge that’s easier for humans and harder for bots to solve.

PerimeterX HUMAN Human Challenge

For users flagged as bots, you need to tag and mitigate them. Options range from blocking the bots completely, rate-limiting them, or redirecting them to decoy sites. Logging information about these blocked bots can also help prevent future attacks.


RELATED: Block Bots & Abuse with the Right CAPTCHA for You

 

3. Filter bots with web traffic management

A security checkpoint in an airport screens passengers before they can board their flight.

Similarly, a virtual waiting room acts as a checkpoint inserted between a web page on your website and the purchase path.

A virtual waiting room is uniquely positioned to filter out bots by allowing you to run visitor identification checks before visitors can proceed with their purchase.

It has the added benefit of providing a fair shopping experience during hyped product releases, by randomizing anyone who comes early and placing latecomers in the waiting room in a first-come, first-served order.

Ticketmaster, for instance, reports blocking over 13 billion bots with the help of Queue-it's virtual waiting room. 

Related: Protect Against Bad Bots & Prevent Abuse With a Virtual Waiting Room


By managing your traffic, you'll get full visibility with server-side analytics that helps you detect and act on suspicious traffic. For example, the virtual waiting room can flag aggressive IP addresses trying to take multiple spots in line, or traffic coming from data centers known to be bot havens. These insights can help you close the door on bad bots before they ever reach your website.

 

Queue-it traffic insights Alerts page

A screenshot of the Alerts page from Queue-it's Traffic Insights analytics tool


4. Leave time for after-sale audits

Some shopping bots will get through even the best bot mitigation strategy. But just because the bot made a purchase doesn’t mean the battle is lost.

If you’re selling limited-inventory products, dedicate resources to review the order confirmations before shipping the products.

This is a strategy used by retailers including Walmart and Very. It can go a long way in bolstering consumer confidence that you’re truly trying to keep releases fair.

Review the orders and ask:

  • Are there multiple orders shipping to the same address?
  • Were several orders made using the same IP address?
  • Was the same credit card used by different customers?
  • Is there social media chatter from customers bragging about how they used bots to buy your product?

Taking a critical eye to the full details of each order increases your chances of identifying illegitimate purchases. 

But the most advanced bot operators work to cover their tracks. They use proxies to obscure IP addresses and tweak shipping addresses—an industry practice known as “address jigging”—to fly under the radar of these checks.

In the TechFirst podcast clip below, Queue-it Co-founder Niels Henrik Sodemann explains to John Koetsier how retailers prevent bots, and how bot developers take advantage of P.O. boxes and rolling credit card numbers to circumvent after-sale audits. 



Summary: Ecommerce bot protection

Shopping bots are becoming more sophisticated, easier to access, and are costing retailers more money with each passing year.

The brands that’ve struggled with bots for years, such as Nike, Sony, Amazon, and Walmart, know the threat of bots and are working hard to protect against them. But it’s no longer just big electronic and sneaker retailers that are facing bots. Bot traffic is growing across ecommerce and is impacting small and large websites alike.

To summarize the key points you need to know about online shopping bots:

  • Shopping bots are software designed to give users an unfair advantage while shopping online.

  • They scan websites and execute lightning-fast purchases in massive volumes to clear out stock for resale on secondary markets.

  • Retail bots come in all shapes and sizes, from scraping bots to account creation bots to denial of inventory bots.

  • Ecommerce bots target sales and product drops where they know they can resell products for profit, such as sneaker, graphics card, and gaming console releases.

  • You can identify a bot problem by digging through your analytics and identifying abnormal behavior, or by using bot mitigation software. 

  • Bots tarnish brand image, sever connections with valuable customers, crash websites, jeopardize business contracts, increase support costs, and muddle analytics crucial to decision making.

  • You need a suite of bot mitigation tactics to stay on top of your bot problem, from CAPTCHAs to web traffic management to post-sale audits.

While there's no one-and-done solution to prevent every bot every time, there are many tools available to protect your ecommerce site from bots and the problems they bring with them. It's important you evaluate your bot problem and take action, because as brands from Nike to Amazon to Sony to Foot Locker recognize, the fight against bots is a fight for your customers.

(This blog has been updated since it was written in 2021)

Discover 10 ways to stop bad bots with your free retail bots guide